One of our routers has multiple IPSec site-to-site VPNs and the public IP of our router needs to change as ISP is changing. I was wondering if there is a way I can migrate the IPSec VPNs on this router one by one instead of having all of them (remote side) to change the peer IP at the same time. I know you can assign a secondary IP address to the interface and try to bring the IPSec VPN using secondary IP address, but I am not sure if that is reliable. Does any one know of any other better way to do this?
How about something like that: Plug in new ISP to a sparate L3 interface, apply same crypto map (I'm assuming non-static or lack of RRI) , start migrating routing for VPNs (both peer IP and subnets) and make sure remote ends specifcy both IPs (old and new ISP assigned IP).
With static crypto map it's a bit easier, you can choose which ISP is going to be chosen by setting routing for static peers via one interface or another.
You most likely need to do similar thing to subnets reachable over VPN if you want full reliability - you can also try with RRI "reverse-route static"under crypto map entries for IPsec to populate routing table for you.
I dont understand. When I am changing the IP address on an interface where crypto map is applied, remote VPN sites need to change their peer IPs. Since I wanted to migrate remote VPNs to the new IP one by one and not all at once how would that work?
Also I dont have additional interface on the router to create a new interface with new ip address and separate crypto map. Current setup has Ethernet interface with crypto map applied to it.
You can still use subinterfaces (dot1q tagged) they are L3 on routers.
But regardless, you can start adding remote peers to have both IP address as their peering points (both new and old ISP IP addresses). During transition if they will fail with one ISP they will try to establish with abother